Should I sync AD and Office 365 for new server and PCs

[timeshifter]

Four person business. All new Windows 10 PCs getting installed this week. Old PowerEdge T310 server was running Server 2008 now has a clean install of Windows Server 2019 Essentials. Note that the server usage is very minimal. Only one person really uses it as far as I can tell, and that's for an old Access database app. Email is currently on Office 365 email only package. Going to upgrade to Business Premium so they'll have latest Office desktop apps.

I'm prepping the server right now. Getting ready to add AD role and set up new domain, etc. But I feel like I should be doing this differently. Should I be setting it up to tie their Office 365 and Server directory services together in some way, maybe with directory synchronization for Office 365 or Azure Active Directory Seamless Single Sign-On?

 

[Sky-Knight]

I'm not sure why you put that new OS on the old server platform... I'd have just done away with the thing entirely and let O365 do the lifting.

But, now they are stuck with it, you're considering AD Sync. That would be nice, however... Doing so removes online password servicing, and should that old door stop of a server fail, all those account are now stuck without a master and you get to argue with that to fix it.

Making everything apart of the Azure Directory would be far more sane, but does confuse permissions settings a bit, you also lose out on group policy. But that is the far more sane path, because when that server blows up you won't have to argue with the workstations at least.

 

[timeshifter]

I'm not sure why you put that new OS on the old server platform... I'd have just done away with the thing entirely and let O365 do the lifting.

How would that have worked with the Access database? There's mostly only one user, but a second user sometimes needs to see it, otherwise I could have made it local to that one PC.

Making everything apart of the Azure Directory would be far more sane, but does confuse permissions settings a bit, you also lose out on group policy. But that is the far more sane path, because when that server blows up you won't have to argue with the workstations at least.

So I should use Azure Active Directory (Azure AD) as the base for everything?

 

[Sky-Knight]

Access Database? What about it? It's just a file... a file in a folder. That could have been synchronized via Onedrive, and stored in a Teams file library and accessed as such with a click.

If I'm telling you anything, it's to abandon the door stop of a server. Put everything else in Azure AD and eat / refund the cost of that 2019 essentials seat you sold that you shouldn't have. UNLESS they have a LOB of some sort that requires that local server, then sure refurb the thing but make it clear it's a transition vehicle, run everything out of teams and stuff everything they own into Azure AD just because.

Some business owners are leery of the cloud and appreciate that middle step too... you know your client... you'll have to spin this a bit. But from what you've said here, they don't need that server.

 

[timeshifter]

Access Database? What about it? It's just a file... a file in a folder. That could have been synchronized via Onedrive, and stored in a Teams file library and accessed as such with a click.

I'm not arguing, I honestly don't know. Can't envision sharing an Access database in cloud storage. Two different users can have the file open at the same time, both making updates, etc.?

 

[Sky-Knight]

I'm not arguing, I honestly don't know. Can't envision sharing an Access database in cloud storage. Two different users can have the file open at the same time, both making updates, etc.?

O365 handles that... the exact same way Office always did... that is one person in the file at a time. You can't multi-user Access without some sort of front end.

But, if you access the file via Teams, multi-user just works just as it does with Excel. Via Share Point fueled black magic.

 

[timeshifter]

Still trying to understand this for this client and in general. Here's the two links the Server 2019 setup refers me to.

https://azure.microsoft.com/en-us/services/active-directory/

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity

Also found this:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions

Any other input? Anyone, anyone, Bueller, Bueller...

 

[Sky-Knight]

Well...

AD is not AAD, but it SHOULD BE.

AD syncs into AAD, AAD can password write back to AD, though the latter costs money. The interactions between these two separate services that shouldn't be separate at all Microsoft calls hybrid identity. The keynote here is AD is the foundation, you go from there into AAD and never back again! Other than specific places such as password write back.

There is an Azure service that runs AD, or you can setup a VPS in AD to run your domain controller for basically the same money. I prefer the latter as it affords me more control. Either way, you wind up building a VPN tunnel from the office to the cloud, and the domain controller works over that tunnel, all of which is exactly the same as AD always has been.

AAD is sort of a subset of AD, but for all the cloud apps as a result. Group Policies are being replaced by inTune Policy Sets. InTune plus basic AAD is enough to replace most of what AD provides for small organizations.

But yeah, finding the lines Microsoft has drawn in the sand is inordinately difficult. AAD gets new toys almost daily, and eventually will eclipse AD... even with MS's execs trying to stop it. inTune is duplicating a ton of RMM functionality as well, so those are feeling the pinch too.

 

[trevm999]

If you're going to be putting traditional resources in Azure, AAD-AD Connect has some additional benefits:

To use Azure's Windows Virtual Desktop you need traditional AD connected to AAD, or be using AAD DS.

To use an Azure Storage account File Share from Windows using user authentication you need AAD DS, or AD connect to AAD (the later is currently only in preview)